Security & Compliance

< Back to Article List

DP-03 Data Protection Impact Assessment Policy

Last updated: 24 October 2024 at 12:24:34 UTC by Dom Tyler

Data Protection Impact Assessment Policy

 

 

 

Document Ref No

DP-03

Version No

V1.0

Last review date

03/10/2021

Approved by

 

Next review

03/10/2022

 

 

Contents

1.      Introduction                                                                                                                                        3

2.      Purpose, scope and users                                                                                                               3

3.      What is a Data Protection Impact Assessment?                                                                    3

4.      When do we need a DPIA?                                                                                                                4

5.      DPIA in practice                                                                                                                                  4

6.      Document management                                                                                                                     4

7.      Version Control                                                                                                                                5

 

 

 

 

 


 

1.    Introduction

Recycly has a legal and ethical duty to protect and to avoid unnecessary interference with the privacy of individuals.

In order to carry out our services, we are required to undertake actions that may impact upon the privacy of:

       People who use the services we provide.

       Our own staff, and the staff of other organisations we work with.

It is vital that the likely impact of Recyclys actions upon the privacy of Data Subjects is understood and that the risks to privacy are robustly managed. Any interference with personal privacy must be minimised as much as possible and must be appropriate and proportionate.

To enable Recycly to address the privacy concerns and risks, a technique referred to as Data Protection Impact Assessment (DPIA) must be used. This process ensures that we comply with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA).

 

2.    Purpose, scope and users

This policy applies to all Recycly staff and activities where new personal data is being processed or personal data is being processed in a new way.

 

3.    What is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is a way to systematically and comprehensively analyse the proposed processing of personal data and to help identify and minimise data protection risks.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.

A DPIA must:

       Describe the nature, scope context, and purposes of the processing

       Assess necessity, proportionality and compliance measures

       Identify and assess risks to individuals

       Identify any additional measures to mitigate those risks

When assessing the risk, the likelihood and the severity of any impact on individuals must be taken into consideration.

4.    When do we need a DPIA?

A DPIA must be done prior to the processing of any new personal data or the processing of personal data in a new way, this would include new projects and new processes – including:

       New IT systems for storing and accessing personal data

       Where data is shared with any other organisation

       A proposal to identify people in a particular group or of a particular opinion e.g. a survey

       Using existing data for a new and unexpected or more intrusive purpose

       The application of new technology to an existing system

       A new database which consolidates information held by separate parts of the business

       Transfers of services in or out of Recycly e.g. cloud hosting

 

5.    DPIA in practice

Managing data protection effectively and in line with legislation, current guidance and best practice is an important means of enabling the effective use of information for the benefit of our customers and for assuring all concerned that their information is managed safely and used appropriately.

All new projects, procedures and policies that involve using or sharing personal information will require a completed DPIA at the initial stages and prior to any procurement decision being made or any personal data being processed. The DPIA will be completed by the Project Lead.

The Project Lead must be in a position to influence the design and development of the and to participate fully in the projection design.

DPIAs will be managed and recorded via the Data Protection Impact Assessment. All information associated with the DPIA should be stored in a dedicated folder and titled with the relevant reference number (DPIA-001).

In the event of a breach of confidentiality or information security a DPIA and any associated information will be used as evidence in the investigation and may be requested by the relevant Data Protection Authority.

Any risks identified during the DPIA process must be managed in accordance with Recyclys Risk Assessment and Treatment Policy.

Where a high risk is identified and cannot be mitigated, Recycly must consult the relevant Supervisory Authority. The Supervisory Authority will give written advice within eights (or fourteen weeks in complex cases). This advice should be followed as closely as possible.

 

6.    Document management

Dom Tyler is responsible for the maintenance and accuracy of this policy. It must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be

 

7.    Version Control

Summary of Change

Date of Change

Author

Version No

First Draft

03/10/2021

Dom Tyler

1